Internet Research Task Force (IRTF) J. Levine
Request for Comments: 5782 Taughannock Networks
Category: Informational February 2010
ISSN: 2070-1721
DNS Blacklists and Whitelists
Abstract
The rise of spam and other anti-social behavior on the Internet has
led to the creation of shared blacklists and whitelists of IP
addresses or domains. The DNS has become the de-facto standard
method of distributing these blacklists and whitelists. This memo
documents the structure and usage of DNS-based blacklists and
whitelists, and the protocol used to query them.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Research Task Force
(IRTF). The IRTF publishes the results of Internet-related research
and development activities. These results might not be suitable for
deployment. This RFC represents the consensus of the Anti-Spam
Research Group of the Internet Research Task Force (IRTF). Documents
approved for publication by the IRSG are not a candidate for any
level of Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc5782.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Levine Informational [Page 1]RFC 5782 DNS Blacklists and Whitelists February 2010Table of Contents
1. Introduction ....................................................2
2. Structure of an IP Address DNSBL or DNSWL .......................3
2.1. IP Address DNSxL ...........................................3
2.2. IP Address DNSWL ...........................................4
2.3. Combined IP Address DNSxL ..................................4
2.4. IPv6 DNSxLs ................................................5
3. Domain Name DNSxLs ..............................................6
4. DNSxL Cache Behavior ............................................7
5. Test and Contact Addresses ......................................7
6. Typical Usage of DNSBLs and DNSWLs ..............................8
7. Security Considerations .........................................9
8. References .....................................................10
8.1. Normative References ......................................10
8.2. Informative References ....................................10
1. Introduction
In 1997, Dave Rand and Paul Vixie, well-known Internet software
engineers, started keeping a list of IP addresses that had sent them
spam or engaged in other behavior that they found objectionable.
Word of the list quickly spread, and they started distributing it as
a BGP feed for people who wanted to block all traffic from listed IP
addresses at their routers. The list became known as the Real-time
Blackhole List (RBL).
Many network managers wanted to use the RBL to block unwanted e-mail,
but weren't prepared to use a BGP feed. Rand and Vixie created a
DNS-based distribution scheme that quickly became more popular than
the original BGP distribution. Other people created other DNS-based
blacklists either to compete with the RBL or to complement it by
listing different categories of IP addresses. Although some people
refer to all DNS-based blacklists as "RBLs", the term properly is
used for the Mail Abuse Prevention System (MAPS) RBL, the descendant
of the original list. (In the United States, the term RBL is a
registered service mark of Trend Micro [MAPSRBL].)
The conventional term is now DNS blacklist or blocklist, or DNSBL.
Some people also publish DNS-based whitelists or DNSWLs. Network
managers typically use DNSBLs to block traffic and DNSWLs to
preferentially accept traffic. The structure of a DNSBL and DNSWL
are the same, so in the subsequent discussion we use the abbreviation
DNSxL to mean either.
This document defines the structure of DNSBLs and DNSWLs. It
describes the structure, operation, and use of DNSBLs and DNSWLs but
does not describe or recommend policies for adding or removing